Re: [secdir] SECDIR Review of draft-ietf-oauth-amr-values-04

Mike Jones <> Tue, 17 January 2017 22:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F25AA12941D; Tue, 17 Jan 2017 14:50:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.157
X-Spam-Status: No, score=-3.157 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.156, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xAzcGWqQiP_T; Tue, 17 Jan 2017 14:50:19 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 214501294F5; Tue, 17 Jan 2017 14:50:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dIYXw9oTPBOMSauMPQF4P1KUXjC4i72c4o6PrqMmXl4=; b=eVJt8nS7/nL/MOU3ZvvpH4y4Bg0HDX7MSinb1PPFx4K82MGDvET5YmR/Sg2prIRFHwXuiz4Bt6cKx8R3f++ezOYdT0EktQqy7/7bYlGb4Z6T6qPjffJtWGoE0c3CP/4x3/1b/M7DS7lg9axGhX5IaJeb8kG3w0zghAmjhYJeqLw=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.845.12; Tue, 17 Jan 2017 22:50:17 +0000
Received: from ([]) by ([]) with mapi id 15.01.0845.013; Tue, 17 Jan 2017 22:50:17 +0000
From: Mike Jones <>
To: Catherine Meadows <>, "" <>, "" <>, "" <>
Thread-Topic: SECDIR Review of draft-ietf-oauth-amr-values-04
Thread-Index: AQHSS+6/fStzUgjJAUCCQXTQjbD7cqE9hgsA
Date: Tue, 17 Jan 2017 22:50:17 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: [2001:4898:80e8:3::7c0]
x-ms-office365-filtering-correlation-id: a954c551-aee7-4d9f-5172-08d43f2b352a
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:BN3PR03MB2353;
x-microsoft-exchange-diagnostics: 1; BN3PR03MB2353; 7:s3Sxw85Ah3g9t5nZMEfIQ4zlJ6VuAxE5inbsHc8V0F6uQbDMw+YuO9CwKpY09h7bCJSZp1W08CPCaGINTWpG/Vb6grbhCDZSEAp/TwYsuzheyKAiZFU/6wL0t2vxbhR7K55fJXWxP+TJABKyE6xv80g4N5A6nRv3HjmIZ09SWEP27kEfi4l2O4XtdEQC1Ui571sWAZP0dO/iuSxlEz/qbSu4XnpQRfxsbaWKXPRy2KB3wPhZ2x6j6lXXE27D5xxtFpTfn7JBnkZsKOznMkW7af5pXYNZQY+W3hWL+RSnSEA3NFRvSDJZGhQyTmdAOYfoYIVCy5/4uiXcMxHU2Y+afmATw7W+iXrOo/lwlBT2LkHqL0PuDJkiK3t1M0MxHksL1JTgjskm+nBx9h3RV9n1ON/HFl0vtfiivlbz/w/Lne5v0w6BsdAhyxf/LlSLNbskKqjmoEkfyVQYBcoJdZmPAkoZyCEZxsHjomuf9bMMado=
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(192374486261705)(21748063052155)(4659246709749);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123555025)(20161123562025)(20161123564025)(20161123560025)(6072148)(6047074); SRVR:BN3PR03MB2353; BCL:0; PCL:0; RULEID:; SRVR:BN3PR03MB2353;
x-forefront-prvs: 01901B3451
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(39840400002)(39410400002)(39850400002)(39860400002)(39450400003)(377454003)(252514010)(51444003)(189002)(199003)(3660700001)(189998001)(229853002)(92566002)(86362001)(2201001)(86612001)(2900100001)(6116002)(101416001)(38730400001)(106356001)(2950100002)(33656002)(53936002)(2501003)(105586002)(7736002)(790700001)(102836003)(106116001)(5660300001)(76176999)(54356999)(122556002)(6506006)(8936002)(8990500004)(68736007)(81156014)(8676002)(2906002)(236005)(9686003)(55016002)(7696004)(97736004)(54896002)(6436002)(10090500001)(77096006)(99286003)(5001770100001)(74316002)(10290500002)(25786008)(50986999)(345774005)(6306002)(230783001)(81166006)(5005710100001)(19609705001)(3280700002)(107886002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR03MB2353;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN3PR03MB23557BC12F4423468C7E1B23F57C0BN3PR03MB2355namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jan 2017 22:50:17.1910 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR03MB2353
Archived-At: <>
Subject: Re: [secdir] SECDIR Review of draft-ietf-oauth-amr-values-04
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Jan 2017 22:50:21 -0000

Thank you for taking the time to review the document, Cathy.  We appreciate it!

                                                                -- Mike

From: Catherine Meadows []
Sent: Thursday, December 01, 2016 8:20 AM
Cc: Catherine Meadows
Subject: SECDIR Review of draft-ietf-oauth-amr-values-04

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This document establishes a registry for Authentication Method Reference (amr) values used by the OpenID protocol and defines an initial set of such values.   The amr claim is already defined and registered
in IANA; this document serves to implement it.  The amr provides a field in which information about the type of authentication being used is provided, using the amr values.

The authors of the document address both security and privacy concerns,  The privacy concern is that the amr claim provides information about the form of authentication used, which could have
privacy implications in some cases, and that this document does not provide any guidance as to how privacy-relevant credentials, such as biometric information, are stored and protected.  As the authors
point out, the latter is beyond the scope of the document.

The security concerns are mainly derived from those  of the OpenID protocol.  The authors also warn that amr may be more brittle than another related claim, acr, since acr provides information about
whether a particular set of business rules were satisfied, while acm only tells you whether a particular type of authentication was used.  This could lead to a policy that relies on particular forms of authentication,
which would be harder to update as security needs change.

I think that the authors have done a good job of addressing security and privacy concerns, and I don’t see any issues here. I consider this document ready.

Cathy Meadows

Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942